Google has outlined its approach to deprecating the compromised SHA-1 hash in its Chrome browser.
Like the rest of the security world, Google believes the SHA-1 cipher just isn't safe any more. That's a reasonable position, because it's been cracked without enormous effort. Mozilla, Microsoft and Facebook have all therefore proposed to stop using it and also make life hard for those relying on SHA-1 certificates.
Google's now explained its plan for SHA-1.
The Alphabet subsidiary's cunning plan starts with Chrome 48, due early in 2016 and tweaked so that it presents users with a warning if a site is signed with an SHA-1 certificate that:
- is signed with a SHA-1-based signature
- is issued on or after January 1, 2016
- chains to a public CA
Subsequent versions of Chrome will display errors if SHA-1 certificates are employed.
On or before January 1, 2017, “Chrome will completely stop supporting SHA-1 certificates.”
Lucas Garron, of the Chrome security team, and David Benjamin from Chrome's networking group write that they hope SHA-1 is kicked off the internet long before that date. The two write that Google is “considering” a move to July 1, 2016, Microsoft's and Mozilla's preferred date for the banishment of SHA-1 from the internet. ®